====================================================================== CERT-Renater Note d'Information No. 2024/VULN506 _____________________________________________________________________ DATE : 29/11/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cilium versions prior to 1.16.4. ===================================================================== https://github.com/advisories/GHSA-xg58-75qf-9r67 _____________________________________________________________________ 1.16.4 Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges Moderate severity GitHub Reviewed Published Nov 25, 2024 in cilium/cilium • Updated Nov 25, 2024 Vulnerability details Package github.com/cilium/cilium (Go) Affected versions >= 1.16.0, < 1.16.4 Patched versions 1.16.4 Description Impact For users with the following configuration: An allow policy that selects a Layer 3 destination and a port range AND A Layer 7 allow policy that selects a specific port within the first policy's range then Layer 7 enforcement would not occur for the traffic selected by the Layer 7 policy. This issue only affects users who use Cilium's port range functionality, which was introduced in Cilium v1.16. For reference, an example of a pair of policies that would trigger this issue is: apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "l3-port-range-rule" spec: endpointSelector: matchLabels: app: service ingress: - fromCIDR: - 192.168.60.0/24 toPorts: - ports: - port: "80" endPort: 444 protocol: TCP and apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "l7-port-range-rule" spec: endpointSelector: matchLabels: app: service ingress: toPorts: - ports: - port: "80" protocol: TCP rules: http: - method: "GET" path: "/public" In the above example, requests would be permitted to all HTTP paths on matching endpoints, rather than just GET requests to the /public path as intentded by the l7-port-range-rule policy. In patched versions of Cilium, the l7-port-range-rule would take precedence over the l3-port-range-rule. Patches This issue is patched in cilium/cilium#35150. This issue affects Cilium v1.16 between v1.16.0 and v1.16.3 inclusive. This issue is patched in Cilium v1.16.4. Workarounds _____________________________________________________________________ Users with network policies that match the pattern described above can work around the issue by rewriting any policies that use port ranges to individually specify the ports permitted for traffic. Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @jrajahalme for resolving this issue. For more information If you have any questions or comments about this advisory, please reach out on Slack. If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. References GHSA-xg58-75qf-9r67 cilium/cilium#35150 https://nvd.nist.gov/vuln/detail/CVE-2024-52529 @ferozsalam ferozsalam published to cilium/cilium Nov 25, 2024 Published by the National Vulnerability Database Nov 25, 2024 Published to the GitHub Advisory Database Nov 25, 2024 Reviewed Nov 25, 2024 Last updated Nov 25, 2024 Severity Moderate 6.9/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality Low Integrity None Availability None Subsequent System Impact Metrics Confidentiality Low Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N EPSS score 0.043% (10th percentile) Weaknesses CWE-755 CWE-862 CVE ID CVE-2024-52529 GHSA ID GHSA-xg58-75qf-9r67 Source code cilium/cilium ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================